Skip to content

Instantly share code, notes, and snippets.

Last active February 4, 2023 17:41
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save MarianBojescu/da539a47d5eae29383a4804218ad7220 to your computer and use it in GitHub Desktop.
CryptoLocker attack CVE-2020-3992
Workaround for data recovery for linux vm`s
Step 1:
Create a new Virtual Machine on the same EXSI host that was affected. i useed debian 10
Step 2:
SSH login into the affected esxi host
Step 3:
# Go toy your datastore.
cd /your/datastore/mount/point
# Make a copy of the affected VM
mkdir OldVm_Recovery
cp OldVm/* OldVm_Recovery/ -r
Step 4:
cd OldVm_Recovery
# List all files
$ ls -la
-rw------- 1 root root 123456789 Feb 3 08:47 old-vm-flat.vmdk
# Create a new VMDk file
$ vmkfstools -c 123456789 -a lsilogic -d thin temp.vmdk // replace 123456789 with the size from ls -la output
# Remove temp-flat.vmdk
rm temp-flat.vmdk
# Rename newly created temp.vmdk
# The neme must be the same as flat file, without "-flat".
- Flat file old-vm-flat.vmdk
- WMDK file: old-vm.vmdk
mvtemp.vmdk old-vm.vmdk
# Edit vmdk file
vi old-vm.vmdk
# Change this line from
RW 209715201 VMFS "temp-flat.vmdk"
# To
RW 209715201 VMFS "old-vm-flat.vmdk"
# Delete this line
ddb.thinProvisioned = "1"
Step 5:
# Check the vmdk file, not *flat.vmdk
$ vmkfstools -e old-vm.vmdk
if everithing is ok go to the next step :D
Step 6:
# add old-vm.vmdk as additional disk to the Linux VM created at "Step 1"
# Login into the vm and install testdisk tool
$ apt install --assume-yes testdisk
Now follow the procedure from "" in order to rebuild partition table
if you are lucky, now you cand mount that disk and recover data from it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment